Unpacking Clop

Sebdraven
Sebdraven
Dec 2 · 2 min read

On twitter, a good analysis of the ransomware Clop has done. But nothing on the unpacking.

The packer has three stages.

The first stage is an allocation and dexoring of the overlay in the function FUN_00401000

local_c = (code *)VirtualAllocEx((HANDLE)0xffffffff,(LPVOID)0x0,0x1c20,DAT_0043f0dc,0x40)

while (local_40 < 900) {
local_80 = DAT_00426260;
uVar1 = *(int *)(&DAT_00426264 + local_40 * 4) - local_40 ^ DAT_00426260;
local_24 = local_24 + -0x438;
local_84 = (uVar1 << 7 | uVar1 >> 0x19) ^ DAT_00426260;
*(uint *)(local_c + local_40 * 4) = local_84;
local_40 = local_40 + 1;
}

the dropper jump in the shellcode with:

00401317 call dword ptr ds:[440D04]

the second stage is the execution of the shell code in six steps:

The first step is to allocate a new page with Virtualloc.

The second step is decoded an compressed PE.

The third step is a decompression of the payload without import table in 3B010.

The fourth step is reconstruction of the import table in 3B0910.

The fifth step is the wipe of the loader in memory.

And the last stage is the copy of the real payload with the function 3B0910.

And jump in the new entrypoint in dword ptr [ebp-58]=[0012FB84]=m.00407BB3

Now you have the real malware clop for following the analysis of Minhee Lee

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade